Introduction

Active Directory uses the LDAP (Lightweight Directory Access Protocol) for read and write access. By default LDAP connections are unencrypted. To secure LDAP traffic, you can use SSL/TLS. This document will describe how to enable LDAP over SSL (LDAPS) by installing a certificate in Samba.

General information

To use TLS, Samba has to be compiled with „--enable-gnutls“. To verify, use the following command:

# smbd -b | grep "ENABLE_GNUTLS"
ENABLE_GNUTLS

The private key must be accessible without a passphrase, i.e. it must not be encrypted!

The files that samba uses have to be in PEM format (Base64-encoded DER). The content is enclosed between e. g. "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".

When intermediate certificates are used they should be appended to the cert.pem file after the server certificate

Important smb.conf parameters for LDAPS

LDAPS is controlled by various smb.conf parameters, which all start with „tls“. See the manpage for details.

The „tls*“ parameters are set in the „[global]“ section of your smb.conf. After any changes, you will have to restart Samba.

Using the Samba autogenerated self-signed certificate (default)

On its first startup, Samba creates a private key, a self signed certificate and a CA certificate:

/usr/local/samba/private/tls/ca.pem

/usr/local/samba/private/tls/cert.pem

/usr/local/samba/private/tls/key.pem

The certificates are valid for 700 days after creation (the lifetime used when auto-creating the certificates is hardcoded in „source4/lib/tls/tlscert.c“).

By default TLS is enabled („tls enabled = yes“), the above files are used and correspond to the following smb.conf parameters:

Using a custom self-signed certificate

Change into the directory you want to store the key and certificate

# cd /usr/local/samba/private/tls/

Create a private key (2048 bit) and a self-signed certificate, valid for 1 year. You'll be asked a couple of questions. It is very important that you fill „Common Name“, with the FQDN of the DC you are generating the certificate for („hostname -f“)!

# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem
Generating a 2048 bit RSA private key
......+++
..................+++
writing new private key to 'myKey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:My State
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com
Email Address []:demo@example.com

Using a trusted certificate

Change into the directory you want to store the key and certificate

# cd /usr/local/samba/private/tls/

Create a 2048 server key

# openssl genrsa -out myKey.pem 2048

Generate a certificate request (CSR). You'll be asked a couple of questions. The most important is, that you fill „Common Name“ with the FQDN of the DC you are generating the certificate for („hostname -f“)!

# openssl req -new -key myKey.pem -out myCSR.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:My State
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com
Email Address []:demo@example.com

Use your CSR to obtain a trusted certificate from a CA. Please check the vendors page for details on the process.

If you received your trusted certificate, store it in the directory with the server key (name it e. g. myCert.pem).

If your CA requires intermediate certificates also store it in same directory as the other files (e. g. myIntermediate.pem).